How do I tell if my brute force protection (fail2ban) is running?

Solution 1:

I would use fail2ban's client for the check because it not only tells you if the server is running but also which jails are enabled which is equally important information because if a particular jail is not enabled, fail2ban does not monitor and perform bans on it.

To check the service:

$ sudo fail2ban-client status

Solution 2:

You should see information in /var/log/fail2ban.log if fail2ban has been started. You'll also see output related to fail2ban activity.

To see whether the process is currently running, use pgrep or ps :

$ pgrep fail2ban -fl
11189 fail2ban-server

$ ps -efww | egrep fail2ban 
root 11189 2662  0 16:29 ? 00:00:00 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid

If you installed failed2ban via the package manager or software center, you should see entries in the /etc/rc* directories for fail2ban, which indicate (on default settings and without customization) that it will run on startup.

$ find /etc/rc* | grep fail2
/etc/rc0.d/K99fail2ban
/etc/rc1.d/K99fail2ban
/etc/rc2.d/S99fail2ban
/etc/rc3.d/S99fail2ban
/etc/rc4.d/S99fail2ban
/etc/rc5.d/S99fail2ban
/etc/rc6.d/K99fail2ban

Solution 3:

You can use:

[romano@pern:~] % ps augx | grep fail2ban 
root      1374  0.0  0.2 265592  9956 ?        Sl   jul29   0:12 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid

If you set up correctly a mail address where to send info, you'll receive a mail at startup and shutdown of the system, and one mail for any action (banning an ip, etc.)

There is interesting info in this blog.